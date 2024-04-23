



What is a cloud-based Pinyin keyboard app?

There are various ways to type Chinese on the keyboard. The most common input method for users in mainland China is the Pinyin input method, which is based on the Pinyin romanization of Chinese characters. Chinese input methods have far more characters than keys on a keyboard, so prediction is required to determine which character the user is about to type.

As a result, all Chinese keyboards use some degree of prediction. By default, prediction capabilities are limited by your phone's hardware. To overcome this limitation, Chinese keyboards often offer “cloud-based” prediction services that send keystrokes to servers that host more powerful predictive models. As many have previously pointed out, this is a huge privacy trade-off, as “cloud-based” keyboards and input methods can act as a vector for surveillance, essentially acting as a keylogger. .

Please note that this report is not about how cloud-based keyboard operators can read users' keystrokes. This is a phenomenon that has already been extensively studied and documented. This report is primarily concerned with protecting this keystroke data from network eavesdroppers.

Which keyboard apps were analyzed in this study? And how did you choose which apps to study?

We analyzed third-party keyboard apps Tencent QQ, Baidu, and iFlytek on Android, iOS, and Windows platforms. Together with Tencent Sogou, he accounts for more than 95% of the market share of third-party keyboard apps in China.

We also analyzed the keyboard apps installed by default on Honor, Huawei, OPPO, Vivo, Samsung, and Xiaomi devices sold in China. We chose these because they are all popular mobile phone manufacturers in China. In 2023, Honor, OPPO and Xiaomi alone accounted for nearly 50% of China's smartphone market.

What types of software vulnerabilities were identified in the keyboard apps you analyzed?

To enable “cloud-based” predictive functionality, the keyboards we analyzed send your keystrokes to a server on the internet. We've found that sending keystrokes over the internet through these apps is insecure in a number of ways. This means that if you use one of these keyboard apps, your ISP, VPN, or even other users on the same his WiFi network can pick up the keystrokes you're typing on your device .

Of the nine keyboard app vendors we analyzed, we found that only one, Huawei, had no security issues related to the transmission of user keystrokes in their apps.

Please note that we have not conducted a complete audit of the App, nor have we made any attempt to exhaustively discover all security vulnerabilities in the software. Our report is about analyzing keyboard apps for a specific class of vulnerabilities that we have discovered, and the lack of reports of other vulnerabilities should not be taken as evidence that they do not exist. there is no.

How will the discovery of these vulnerabilities affect users of these keyboard apps?

Keystrokes are particularly sensitive information because they contain all the information you enter on your device, such as passwords, financial data, and browsing data. We estimate that up to 1 billion users could have their keystrokes intercepted, posing a significant risk to user security.

We have notified all affected vendors and in most cases they have updated their apps to address the vulnerability. We urgently recommend that users update their keyboards and operating systems, or switch to keyboards that only use “on-device” predictions (e.g., are not “cloud-based”). Keyboards that aren't cloud-based include Google's Gboard and Apple's default iOS keyboard.

Given these findings, what do researchers recommend users do?

First, high-risk users or those with privacy concerns should not enable “cloud-based” functionality on their keyboards or IMEs. An iOS user can also restrict the keyboard's network access by revoking “full access” permissions for the keyboard or his IME.

QQ Pinyin users need to switch keyboards immediately. Honor device users should disable the pre-installed Baidu keyboard and use another third-party keyboard. Also, the updated network security protocols of Baidu keyboard still contain privacy weaknesses, so it is generally recommended that he not use Baidu keyboard.

Otherwise, users of Sogou, Baidu, or iFlyTek keyboards (including versions bundled with or preinstalled with the operating system) should ensure that their keyboard and operating system are up to date. At-risk users may consider switching to a keyboard that isn't cloud-based, such as Google's His Gboard or Apple's default His iOS keyboard.

How can users protect themselves if updates for a particular keyboard are not available?

In some cases, we encountered problems updating the keyboard on our test devices. In such cases, users are advised to disable those keyboards and switch to a different keyboard.

What did the vendor do with the findings?

We have notified all affected vendors and in most cases they have updated their apps to address the vulnerability.

All companies responded to our disclosures except Baidu, Vivo, and Xiaomi. Although Baidu fixed the most severe issues we reported to them immediately after we disclosed them, Baidu has not yet fixed all the issues we reported. Mobile device manufacturers with pre-installed keyboard apps that we analyzed fixed issues in their apps, except for the Baidu app. Baidu apps only addressed the most severe issues, or in the case of Honor, none at all (see table below). Security status of apps analyzed as of April 1, 2024).

✘✘ Practical exploit created to decrypt keystrokes sent to both active and passive eavesdroppers ✘ Decrypt keystrokes sent to active eavesdroppers Practical exploit created to exploit! Weakness in encryption implementation ✔ No known issues or all known issues fixed N/A Product not available or analyzed Tencent† ✘ N/A ✘ Baidu ! ! iFlytek ✔ ✔ ✔

preinstalled keyboard developer

Samsung ✔ ✔* ! N/AN/AN/A Huawei ✔* ✔ N/AN/AN/AN/A Xiaomi N/A ✔* ! ✔ N/AN/A OPPO N/A ✔ !* N/AN/AN /A Vivo ✔* ✔ N/AN/AN/AN/A Honor N/AN/A ✘✘* N/AN/AN/A

* Default keyboard app for test devices. † Both QQ Pinyin and Sogou IME are developed by Tencent. This report analyzed QQ Pinyin and found the same issues encountered with Sogou IME.

In summary, there are no longer valid exploits for any product except Honor's keyboard app and Tencent's QQ Pinyin. Baidu's keyboard apps on other devices continue to have encryption weaknesses that cannot currently be exploited to fully decrypt a user's keystrokes in transit.

